TY - GEN
T1 - Towards an Explainable Approach for Insider Threat Detection
T2 - 1st International Conference on Intelligent Data Science Technologies and Applications, IDSTA 2020
AU - Orizio, Riccardo
AU - Vuppala, Satyanarayana
AU - Basagiannis, Stylianos
AU - Provan, Gregory
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/10/19
Y1 - 2020/10/19
N2 - Insider threats are considered a major threat to information and communication technology (ICT) systems creating an important source of vulnerabilities from a security perspective. The technical knowledge that insiders have about the ICT systems, such as its IT infrastructure, the high load of data generated by other employees of the company which hides insiders' activities, their access rights as well as the confidentiality of the data of which they have access to, creates the perfect scenario for a powerful yet undetected attack. State of the art techniques and security operations center tools struggle to come up with effective solutions to recognise these threats. Therefore, in this paper, we propose a novel artificial intelligence based constraint learning technique to help their detection. The approach creates an optimized constraint network representing the nominal behaviour of an employee and detects threatening events when their associated costs are above a certain threshold. The threshold is learnt alongside with the constraint network model. The proposed approach is based on detection models able to provide human interpretable feedback regarding the detection performed. These information are crucial in helping system operators to understand why the detection has occurred and to help them acting promptly on the threat. The explanation comes directly from the structure of the detection model and relies on the identification of which constraints are being violated. The approach is tested on the CERT insider threat dataset v4.2 and the results obtained look promising, achieving at least the same accuracy as other state of the art techniques as well as providing the details regarding the broken constraints of the threat. A comparison with state of the art techniques applied on this dataset is also provided, showing the strength of our results.
AB - Insider threats are considered a major threat to information and communication technology (ICT) systems creating an important source of vulnerabilities from a security perspective. The technical knowledge that insiders have about the ICT systems, such as its IT infrastructure, the high load of data generated by other employees of the company which hides insiders' activities, their access rights as well as the confidentiality of the data of which they have access to, creates the perfect scenario for a powerful yet undetected attack. State of the art techniques and security operations center tools struggle to come up with effective solutions to recognise these threats. Therefore, in this paper, we propose a novel artificial intelligence based constraint learning technique to help their detection. The approach creates an optimized constraint network representing the nominal behaviour of an employee and detects threatening events when their associated costs are above a certain threshold. The threshold is learnt alongside with the constraint network model. The proposed approach is based on detection models able to provide human interpretable feedback regarding the detection performed. These information are crucial in helping system operators to understand why the detection has occurred and to help them acting promptly on the threat. The explanation comes directly from the structure of the detection model and relies on the identification of which constraints are being violated. The approach is tested on the CERT insider threat dataset v4.2 and the results obtained look promising, achieving at least the same accuracy as other state of the art techniques as well as providing the details regarding the broken constraints of the threat. A comparison with state of the art techniques applied on this dataset is also provided, showing the strength of our results.
KW - Anomaly detection
KW - Constraint Learning
KW - Constraint Programming
KW - Insider threat
KW - Machine Learning
KW - Security Operations Center
UR - https://www.scopus.com/pages/publications/85098638991
U2 - 10.1109/IDSTA50958.2020.9264049
DO - 10.1109/IDSTA50958.2020.9264049
M3 - Conference proceeding
AN - SCOPUS:85098638991
T3 - 2020 International Conference on Intelligent Data Science Technologies and Applications, IDSTA 2020
SP - 42
EP - 49
BT - 2020 International Conference on Intelligent Data Science Technologies and Applications, IDSTA 2020
A2 - Alsmirat, Mohammad
A2 - Jararweh, Yaser
A2 - Lloret Mauri, Jaime
A2 - Aloqaily, Moayad
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 October 2020 through 22 October 2020
ER -